DESCRIPTION

This plugin provides an interface for querying an ident service on a remote system. The ident protocol helps identify the user of a particular TCP connection. If the remote client connecting to your Mojolicious application is running the ident service you can identify the remote users' name. This can be useful for determining the source of abusive or malicious behavior. Although ident can be used to authenticate users, it is not recommended for untrusted networks and systems (see CAVEATS below).

OPTIONS

timeout

Default number of seconds to wait before timing out when contacting the remote ident server. The default is 2.

port

plugin 'ident' => { port => 113 };

Port number to connect to. Usually this will be 113, but you may want to change this for testing or some other purpose.

HELPERS

ident [ $tx, [ $timeout ] ], [ $callback ]

This helper makes a ident request. This helper takes two optional arguments, a transaction $tx and a timeout $timeout. If not specified, the current transaction and the configured default timeout will be used. If a callback is provided then the request is non-blocking. If no callback is provided, it will block until a response comes back or the timeout expires.

The ident response class also has a same_user method which can be used to determine if the user which started the Mojolicious application and the remote user are the same. The user is considered the same if the remote connection came over the loopback address (127.0.0.1) and the username matches either the server's username or real UID. Although this can be used as a simple authentication method, keep in mind that it may not be secure (see CAVEATS below).

ident_same_user [ $tx, [ $timeout ] ], [ $callback ]

This helper makes an ident request and attempts to determine if the user that made the request is the same as the one that started the Mojolicious application. This helper takes two optional arguments, a transaction $tx and a timeout $timeout. If not specified, the current transaction and the configured default timeout will be used. If a callback is provided then the request is non-blocking. If no callback is provided, it will block until a response comes back or the timeout expires.

When the response comes back it will call the callback and pass in a boolean value indicating if the user is the same. If the ident request connects and does not timeout, then result will be cached. If cached the callback may be called immediately, before re-entering the event loop.

without a callback this helper will return true or false depending on if the user is the same. It should never throw an exception.

CAVEATS

The RFC for the ident protocol clearly states that ident should not be used for authentication, at most it should be used only for audit (for example annotating log files).

In Windows and possibly other operating systems, an unprivileged user can listen to port 113 and on any untrusted network, a remote ident server is not a secure authentication mechanism. Most modern operating systems do not enable the ident service by default, so unless you have control both the client and the server and can configure the ident service securely on both, its usefulness is reduced.

Using this module in the non-blocking mode requires that AnyEvent use its EV implementation, which is also used by Mojolicious, if it is loaded. This shouldn't be a problem, as EV is a prerequisite to this module (though it does not use it directly), and both AnyEvent and Mojolicious will prefer to use EV if it is installed. You do have to make sure that you do not force another event loop, such as AnyEvent::Loop, unless you are using only the blocking mode.

Mojolicious 4.28 introduced support for non-blocking operations in bridges. Prior to that if a bridge returned false the server would generate a 404 "Not Found" reply. In 4.29 a bridge returning false would not render anything and thus timeout if the bridge didn't render anything. Thus in older versions of Mojolicious this:

under sub { shift->ident_same_user };

would return 404 if the remote and local users are not the same. To get the same behavior in both new and old versions of Mojolicious:

Most of the time you should really return a 403, instead of not found (as in the synopsis above), but this is what you would want to do if you wanted a resource to be invisible and unavailable rather than just unavailable to the wrong user.

I only mention this because old versions of this plugin had documentation which included the older form in its synopsis.

AUTHOR

Graham Ollis <plicease@cpan.org>

COPYRIGHT AND LICENSE

This software is copyright (c) 2012 by Graham Ollis.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.